These Play Store apps were stealing your Facebook password

Google has removed nine popular apps from the Play Store that contained trojans that stole users’ Facebook login details.

These Play Store apps were stealing your Facebook password

This comes after a report by Dr Web of how its malware analysts had discovered malicious code in the apps, which were downloaded more than 5.8 million times.

The nine apps that were found to be stealing Facebook logins and passwords were:

  • PIP Photo by Lillians, downloaded more than 5,000,000 times.
  • Processing Photo by chikumburahamilton, downloaded more than 500,000 times.
  • Horoscope Daily by Hscope Daily mom, downloaded more than 100,000 times.
  • Inwell Fitness by Reuben Germaine, downloaded more than 100,000 times.
  • Rubbish Cleaner by SNT.rbcl, downloaded more than 100,000 times.
  • App Lock Keep by Sheralaw Rence, downloaded more than 50,000 times
  • App Lock Manager by Implummet col, downloaded more than 10,000 times.
  • Lockit Master by Enali mchicolo, downloaded more than 5,000 times.
  • Horoscope Pi by Talleyr Shauna, downloaded more than 1,000 times.

Below are screenshots of what the apps looked like on the Google Play Store.


Dr Web’s analysis showed the apps used five malware variants between them, three of which were native to Android and two others using the Google Flutter framework.

All of the variants used identical configuration file formats and JavaScript code, so they were classified as the same trojan.

To disguise their true purpose to users, the apps were fully functional.

Users were notified to access all of the app’s features and disable in-app ads, they had to log in to their Facebook accounts.

Once they chose to do this, the command and control server (C&C server) would load up the legitimate Facebook web page into the WebView browser engine.

In addition, a JavaScript received from the C&C server would be loaded into the same WebView.

This script would then “hijack” the login details entered into the form.

Using the methods provided through the JavascriptInterface annotation, the script then passed the stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server.

Below is what the Facebook login process would look like to the user.

Dr Web informed Google of the malicious applications and the company subsequently removed the apps.

Google also told Ars Technica the developers were banned from the store.

However, it’s possible they might create new developer accounts under different names and get back onto the store with new malicious apps.

If you have downloaded and installed one of these apps, it is recommended that you change your Facebook password immediately to avoid your account being compromised.

It would be best if you also examined your smartphone or tablet for signs of malware.

To do this, download a reliable antivirus app from a reputed cybersecurity firm and run a virus scan.

While the best apps and protective features will come at a cost, there are a few trusted anti-virus apps for Android with a free tier of service, including:

Source Link